Judge shreds, dismisses iPhone privacy class-action

A federal judge has dismissed a class-action lawsuit filed against Apple and …

From time to time, we will be running posts from Eric Goldman's Technology & Marketing Law Blog. Sometimes they will look similar to other articles appearing on Ars; other posts will be more "bloggy" in nature. This is one of the latter.

iPhone users sued Apple and various advertising networks, alleging that defendants violated their privacy rights "by... allowing third party applications that run on [iOS devices] to collect and make use of... personal information without user consent or knowledge." The court dismisses the claims, but grants leave to amend.

Judge Koh's order has the feel of a professor grading an exam, and it covers a lot of ground, including many cases we've blogged about. (It's well worth the read.)

Plaintiffs claimed that they were not put on notice of this tracking. Plaintiffs also alleged that the "Mobile Industry Defendants" exploited this information and "use[d] the merger of personal information to effectively or actually de-anonymize consumers." Despite being put on notice, Plaintiffs claimed Apple did not take any action to prevent this tracking and use of information.

Standing

Plaintiffs argued that they suffered three types of injury: (1) their personal information was misappropriated; (2) the personal information diminished in value; and (3) they suffered lost "opportunity costs" in having installed the apps and suffered a diminution in value of their devices because the devices are "less secure" and "less valuable." The court says that the complaint has a deeper standing issue: plaintiffs failed to allege what injury they suffered personally (or as a class) as well as identify what apps they used, what personal information was accessed, and what harm resulted. The court also says that the allegations are "especially slim with respect to... Apple."

The court also says that there's another issue with the complaint: plaintiffs fail to allege a "concrete harm." Citing to Specific Media, JetBlue, and Doubleclick, the court says, "[as in Specific Media, plaintiffs have] not alleged any 'particularized example' of economic injury or harm to their computers, but instead offer only abstract concepts, such as 'opportunity costs,' 'value-for-value exchanges,' 'consumer choice,' and 'diminished performance.'"

Plaintiffs pointed to Doe v. AOL, but the court distinguishes it on the basis that in that case there were "specific allegations" of the danger of public disclosure of "highly sensitive information." Plaintiffs' allegations in this case "come nowhere close" to the allegations in AOL. Plaintiffs also cite the Facebook privacy case, but the court distinguishes it on the basis that the Facebook privacy case involved Wiretap Act claims which only require a showing that a person's communication was "intercepted, disclosed or used" in violation of the statute. Here, there's no analogous statute.

The court also says that the alleged injuries are not "fairly traceable" to defendants. There is no allegation that Apple misappropriated the data, and plaintiffs did not distinguish between the "mobile industry defendants," which made it tough to figure out which of the defendants the plaintiffs are trying to hold liable and for what misappropriation. The court dismisses on the basis of standing with a cautionary note to plaintiffs: "any amended complaint must provide specific allegations with respect to the causal connection between the exact harm alleged (whatever it is) and each Defendants' conduct or role in that harm."

Other problems

Although the court dismisses on standing grounds, it goes on to address alternate arguments raised by defendants and other issues in the case.

End-user agreements

Apple argued that various end-user agreements barred claims for the alleged injuries. Plaintiffs argued that the agreements were contracts of adhesion. The court says that plaintiffs will have trouble with both prongs of the adhesion argument as they have alternatives available, and the contract in question is for a recreational activity. The court does not outright reject the adhesion argument, but it sends plaintiffs a signal that they should articulate in their amended complaint why Apple should be held responsible despite any terms in the agreements.

Particularity and the absence of app developers

The court says that, as to the mobile industry defendants, the complaint fails to allege what role each of the defendants played in the alleged harm. This needs to be fixed in any amended complaint. Apple also raised the argument that the app developers were necessary parties but the court rejects this argument. At this stage, the court declines to dismiss the lawsuit for failure to join the developers.

Negligence

The court identifies two problems with the negligence claims. Apple does not necessarily have a legal duty to protect end-user information from third-party app developers and damages are speculative.

Breach of the duty of good faith

The court tells plaintiffs to identify which of the end user agreements and privacy agreements plaintiffs are using to support their duty of good faith claim.

Consumer Legal Remedies Act

The court questions whether the statute is applicable at all to software--it covers the sale of goods and services (citing Ferrington v. McAfee).

Consumer Fraud and Abuse Act

The court says that plaintiffs' Computer Fraud and Abuse Act claims are deficient for three reasons. First, there is no allegation that Apple acted "knowingly." Plaintiffs only allege that Apple failed to take "meaningful steps" to police third-party developers. Second, since the software was downloaded voluntarily, this tends to undermine a claim that the access was "without authorization" or "exceeded authorized access." Finally, the court says that only economic damages are available and damages for "death, personal injury, mental distress, and the like" are not available. There are no allegations of economic harm. Although damages can be aggregated where the violation can be described as "one act," plaintiffs failed to point to any "single act" of harm by defendants.

California's anti-hacking statute

The court says (citing Facebook v. Power Ventures) that the phrase "without permission" in the statute is more narrowly construed that in the Computer Fraud and Abuse Act. In Power Ventures, the court held that the mere violation of a terms of use does not violate the statute. In that case, the court held that Facebook would have to show that Power Ventures circumvented technical barriers of some sort. The court says that plaintiffs fail to articulate how access falls into this category. Plaintiffs also pointed to a section of the statute which imposes liability for the introduction of "computer contaminants." The court says that this section contains a requirement that the introduction of the contaminant be without permission. The court says that the subsection addressing computer contaminants is aimed at "viruses or worms," and it does not look like the apps in question fall into this category.

Trespass to chattels

Under Intel v. Hamidi, a trespass to chattels claim based on access to a computer server requires impairment or loss of use. The court says plaintiffs have not adequately pled this element.

Unfair competition

In order to bring an unfair competition claim, a plaintiff needs to have suffered damage or lost money or other property. The court says it is skeptical of the "personal information as currency" argument (citing to the recent Facebook privacy ruling). The court also says that it's unclear as to whether plaintiffs paid money for the apps in question.

Unjust enrichment

There is no separate cause of action for unjust enrichment under California law. The court says that restitution may be available as an equitable remedy in lieu of contract damages. If plaintiffs amend their complaint, they are directed to clarify what they are looking for in terms of restitution.

Conclusion

Judge Koh goes through and basically shreds the complaint. A consistent theme is the plaintiffs' lack of specificity. This is not surprising, because the trigger for the complaint is a news story or a scholarly study, rather than a specific event that a plaintiff had awareness of when it happened. The court's order makes clear that, even if plaintiffs get past the allegation of harm issue, there are numerous other hurdles that stand in the way of holding the defendants liable. In particular, she says that Apple as the third party is somewhat removed from the information collection, and plaintiffs are not going to have an easy time holding Apple liable. Apple may also have a robust defense in its end user agreement(s). Other than knocking down plaintiffs' unconscionability argument, the court did not get into specifics of what those agreements contain that may limit Apple's liability, but that they are sure to contain something.

All of this has to be good news for Apple. It's also somewhat surprising that the issue of arbitration has not come up. Apple may be able to assert a Section 230 defense, either based on section (c)(1) for its putative liability based on the developers' actions, or under (c)(2) for the negligence claim that it failed to police its App Store properly.

Lower courts have overwhelmingly rejected the latest wave of privacy class actions, and evinced deep skepticism towards the theory that the collection of personal information alone by a private entity constitutes harm. Courts also do not seem excited about the theory that tracking somehow harms end users because it diminishes the value of their personal information, nor do they seem excited about the "information as currency" argument. I think it's fair to say that, while the case law leans towards the defendants, there's not necessarily a ton of Ninth Circuit precedent that directly speaks to the issues raised by tracking cases, although it's possible that some set of plaintiffs may have better luck in the Ninth Circuit.